Awareness article
PII Data Examples: What Counts and What Does Not
Concrete examples of personally identifiable information across healthcare, HR, and administrative contexts, with guidance on when PII becomes PHI.
Short answer
Personally identifiable information (PII) covers any data that can identify a specific person. Healthcare teams encounter PII in patient records, HR systems, vendor contacts, and administrative operations. When PII connects to health or payment context, it becomes PHI and HIPAA applies. Understanding which data examples fall into which category helps staff apply the correct controls.
Understanding which data examples qualify as personally identifiable information (PII) helps healthcare teams apply the right controls to the right data. The examples below cover patient, staff, and vendor contexts, with notes on when PII crosses into PHI territory.
Direct identifiers: clear PII in any context
These data types identify a person on their own with minimal ambiguity:
- Full legal name
- Social Security number (SSN)
- Driver’s license number
- Passport number
- Financial account number (bank account, credit card)
- Date of birth combined with name
- Home address
- Personal email address
- Personal phone number
- Biometric data: fingerprints, retinal scan, voice print, facial geometry
- Full-face photograph or image sufficient to identify the person
- Medical record number or health plan beneficiary ID
Any one of these is PII. In a patient context, each is also a HIPAA identifier. When one appears alongside health or payment information, the record becomes PHI.
Quasi-identifiers: weak alone, strong in combination
Quasi-identifiers do not uniquely identify a person on their own, but combine to create identification risk:
- 5-digit ZIP code
- Birthdate (month and day without year)
- Sex
- Race or ethnicity
- Employer name
- Occupation
- Education level
A classic example from de-identification research: ZIP code, birthdate, and sex, taken together, can identify a large portion of the US population to a single individual. Datasets that seem anonymized because names are removed can still be re-identifiable through quasi-identifier combinations.
Patient PII examples in a clinic setting
The following appear commonly in clinic operations and are both PII and PHI:
| Data field | PII? | PHI if health context present? |
|---|---|---|
| Patient full name + DOB | Yes | Yes |
| Insurance member ID | Yes | Yes |
| Patient email address | Yes | Yes |
| Patient phone number | Yes | Yes |
| Medical record number | Yes | Yes |
| Appointment date + provider | Yes | Yes |
| Diagnosis code + patient ID | Yes | Yes |
| Lab result + patient name | Yes | Yes |
| Prior authorization reference | Yes | Yes |
| Billing account number | Yes | Yes |
In healthcare, the presence of health context is nearly always implied by the system the data lives in. A scheduling database, a task tracker used for clinical coordination, and an intake form all carry PHI assumptions.
Staff PII examples: not PHI
Employee data in HR systems is PII, but it is not PHI. HIPAA does not cover employment records. These are governed by employment law, state breach notification statutes, and in some cases federal privacy requirements:
- Employee SSN
- Employee date of birth
- Direct deposit banking information
- Personal contact information in HR records
- Performance reviews
- Health insurance enrollment data (as an HR function, not as a provider)
Clinics often store staff PII in cloud HR tools. A breach of that data is not a HIPAA breach — but it may trigger state breach notification obligations depending on the data involved and the state.
Vendor and operational PII: lowest risk category
Contact information for vendor representatives — names, business emails, business phone numbers — is generally not PII in the legally significant sense because it identifies a role or organization rather than a private individual. Business contact information does not warrant the same controls as patient or staff PII.
An exception: if a vendor representative is also a patient at your clinic, their record in the EHR is PHI even if they also appear in your vendor contact list.
When de-identified data is no longer PII
HIPAA recognizes two methods for removing the PHI status from patient data:
- Expert determination — a qualified statistician certifies that the re-identification risk is very small
- Safe Harbor — all 18 HIPAA identifiers are removed, and the covered entity has no actual knowledge that the remaining data can identify the individual
For the 18 identifiers specifically, see 18 HIPAA Identifiers. For a full comparison of PII and PHI in healthcare contexts, see PHI vs PII.
Correctly classifying PII and PHI is the foundation of a functioning access control and vendor management program. For the compliance infrastructure that makes it operational, visit /hipaa.
PHI Fundamentals
Core PHI and ePHI definitions, identifiers, edge cases, and data-classification concepts healthcare teams need before tool selection.
HIPAA and Wearable Devices: When Fitbit and Apple Watch Data Is PHI
HIPAA and wearable devices: when Fitbit, Apple Watch, and Garmin data becomes PHI, what BAA obligations arise, and how FTC rules cover gaps HIPAA doesn't.
Building a HIPAA-Compliant AI Use Policy for Your Clinic
How to build a HIPAA-compliant AI use policy for your clinic: approved tools, BAA requirements, prohibited inputs, staff training, and OCR's guidance on AI.
Sources